There is a vulnerability in Bluetooth technology that allows you to bypass authentication mechanisms and emulate keystrokes on Apple devices, as well as on gadgets running Android and Android Linux. The vulnerability was discovered by an engineer at SkySafe, which specializes in drone-related security solutions.
No special equipment is required to exploit the vulnerability number CVE-2023-45866 – the attack is carried out from a computer running Linux via a regular Bluetooth adapter. Engineer Marc Newlin, who discovered the bug, reported it to Apple, Google, Canonical and Bluetooth SIG. He is willing to make full details of the vulnerability public and offer sample code for exploiting it at an upcoming conference, but wants to wait for developers to fix the vulnerability. The attack allows an attacker located near the victim’s computer to emulate keystrokes and perform malicious actions on devices that do not require a password or biometric login.
“The vulnerability is triggered by fooling the Bluetooth host when connecting to a fake keyboard without user verification. The Bluetooth specification describes a basic connection mechanism without authentication, and vulnerability-specific flaws make it accessible to an attacker.”“,” Newlin commented on his discovery. In 2016, he developed the MouseJack attack method, which also makes it possible to forge keystrokes when working with keyboards and mice from 17 manufacturers.
The roots of the new vulnerability go even deeper: the researcher confirmed the feasibility of the attack on devices with Android versions from 4.2.2 to 10 – there is no solution for this and there will not be. For devices running Android versions 11 to 14, Google has already developed a patch that is already available to its OEM partners and will be released in the December update for Pixel devices. In the Linux camp, the vulnerability was fixed in 2020, but all distributions only implemented it in ChromeOS. Others, including Ubuntu, Debian, Fedora, Gentoo, Arch, and Alpine, have the patch disabled by default. In particular, the long-term support versions of Ubuntu 18.04, 20.04, 22.04 and the current version 23.10 remain vulnerable. The vulnerability is relevant for devices with Apple macOS and iOS if a Magic Keyboard is connected to the machine and Apple LockDown mode does not offer any protection against it. Apple confirmed to Newlin that it had received his notice, but did not provide a time frame for fixing the vulnerability.